b'     Department of Homeland Security\n\n     2I\xc3\x80FH\x03RI\x03,QVSHFWRU\x03*HQHUDO\n\n\n  Information Technology Management Letter for the \n\nFY 2013 Department of Homeland Security\xe2\x80\x99s Financial \n\nStatement Audit \xe2\x80\x93 Office of Financial Management and \n\n          Office of Chief Information Officer \n\n\n\n\n\nOIG-14-108                                  June 2014\n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n                             Washington, DC 20528 / www.oig.dhs.gov\n\n\n\xc2\xa0\n                                     June\xc2\xa024,\xc2\xa02014\xc2\xa0\n\xc2\xa0\n\xc2\xa0\nMEMORANDUM\xc2\xa0FOR:\t\xc2\xa0\xc2\xa0           Luke\xc2\xa0McCormack\xc2\xa0\n                             Chief\xc2\xa0Information\xc2\xa0Officer\xc2\xa0\n\xc2\xa0\n                             Chip\xc2\xa0Fulghum\xc2\xa0\n                             Acting\xc2\xa0Chief\xc2\xa0Financial\xc2\xa0Officer\xc2\xa0\n\xc2\xa0\nFROM:\t\xc2\xa0                      Richard\xc2\xa0Harsche\xc2\xa0\n                             Acting\xc2\xa0Assistant\xc2\xa0Inspector\xc2\xa0General\xc2\xa0\n                             Office\xc2\xa0of\xc2\xa0Information\xc2\xa0Technology\xc2\xa0Audits\xc2\xa0\n\xc2\xa0\nSUBJECT:\t\xc2\xa0                   Information\xc2\xa0Technology\xc2\xa0Management\xc2\xa0Letter\xc2\xa0for\xc2\xa0the\xc2\xa0FY\xc2\xa0\n                             2013\xc2\xa0Department\xc2\xa0of\xc2\xa0Homeland\xc2\xa0Security\xe2\x80\x99s\xc2\xa0Financial\xc2\xa0\n                             Statement\xc2\xa0Audit\xc2\xa0\xe2\x80\x93\xc2\xa0Office\xc2\xa0of\xc2\xa0Financial\xc2\xa0Management\xc2\xa0and\xc2\xa0\n                             Office\xc2\xa0of\xc2\xa0Chief\xc2\xa0Information\xc2\xa0Officer\xc2\xa0\n\xc2\xa0\nAttached\xc2\xa0for\xc2\xa0your\xc2\xa0information\xc2\xa0is\xc2\xa0our\xc2\xa0final\xc2\xa0report,\xc2\xa0Information\xc2\xa0Technology\xc2\xa0Management\xc2\xa0\nLetter\xc2\xa0for\xc2\xa0the\xc2\xa0FY\xc2\xa02013\xc2\xa0Department\xc2\xa0of\xc2\xa0Homeland\xc2\xa0Security\xe2\x80\x99s\xc2\xa0Financial\xc2\xa0Statement\xc2\xa0Audit\xc2\xa0\xe2\x80\x93\xc2\xa0\nOffice\xc2\xa0of\xc2\xa0Financial\xc2\xa0Management\xc2\xa0and\xc2\xa0Office\xc2\xa0of\xc2\xa0Chief\xc2\xa0Information\xc2\xa0Officer.\xc2\xa0This\xc2\xa0report\xc2\xa0\ncontains\xc2\xa0comments\xc2\xa0and\xc2\xa0recommendations\xc2\xa0related\xc2\xa0to\xc2\xa0information\xc2\xa0technology\xc2\xa0internal\xc2\xa0\ncontrol\xc2\xa0deficiencies\xc2\xa0that\xc2\xa0were\xc2\xa0not\xc2\xa0required\xc2\xa0to\xc2\xa0be\xc2\xa0reported\xc2\xa0in\xc2\xa0the\xc2\xa0Independent\xc2\xa0Auditors\xe2\x80\x99\xc2\xa0\nReport.\xc2\xa0\xc2\xa0\n\xc2\xa0\nWe\xc2\xa0contracted\xc2\xa0with\xc2\xa0the\xc2\xa0independent\xc2\xa0public\xc2\xa0accounting\xc2\xa0firm\xc2\xa0KPMG\xc2\xa0LLP\xc2\xa0(KPMG)\xc2\xa0to\xc2\xa0\nconduct\xc2\xa0the\xc2\xa0audit\xc2\xa0of\xc2\xa0Department\xc2\xa0of\xc2\xa0Homeland\xc2\xa0Security\xc2\xa0fiscal\xc2\xa0year\xc2\xa02013\xc2\xa0consolidated\xc2\xa0\nfinancial\xc2\xa0statements.\xc2\xa0The\xc2\xa0contract\xc2\xa0required\xc2\xa0that\xc2\xa0KPMG\xc2\xa0perform\xc2\xa0its\xc2\xa0audit\xc2\xa0according\xc2\xa0to\xc2\xa0\ngenerally\xc2\xa0accepted\xc2\xa0government\xc2\xa0auditing\xc2\xa0standards\xc2\xa0and\xc2\xa0guidance\xc2\xa0from\xc2\xa0the\xc2\xa0Office\xc2\xa0of\xc2\xa0\nManagement\xc2\xa0and\xc2\xa0Budget\xc2\xa0and\xc2\xa0the\xc2\xa0Government\xc2\xa0Accountability\xc2\xa0Office.\xc2\xa0KPMG\xc2\xa0is\xc2\xa0\nresponsible\xc2\xa0for\xc2\xa0the\xc2\xa0attached\xc2\xa0management\xc2\xa0letter\xc2\xa0dated\xc2\xa0March\xc2\xa011,\xc2\xa02014,\xc2\xa0and\xc2\xa0the\xc2\xa0\nconclusion\xc2\xa0expressed\xc2\xa0in\xc2\xa0it.\xc2\xa0\n\xc2\xa0\nPlease\xc2\xa0call\xc2\xa0me\xc2\xa0with\xc2\xa0any\xc2\xa0questions,\xc2\xa0or\xc2\xa0your\xc2\xa0staff\xc2\xa0may\xc2\xa0contact\xc2\xa0Sharon\xc2\xa0Huiswoud,\xc2\xa0Director,\xc2\xa0\nInformation\xc2\xa0Systems\xc2\xa0Audit\xc2\xa0Division,\xc2\xa0at\xc2\xa0(202)\xc2\xa0254\xe2\x80\x905451.\xc2\xa0\n\xc2\xa0\nAttachment\xc2\xa0\n\xc2\xa0\n\xc2\xa0                             \xc2\xa0\n\x0c                                KPMG LLP\n                                Suite 12000\n                                1801 K Street, NW\n                                Washington, DC 20006\n\n\n\n\nMarch 11, 2014\n\n\nOffice of Inspector General,\n\nChief Information Officer and Chief Financial Officer,\n\nU.S. Department of Homeland Security\n\nLadies and Gentlemen:\n\nWe have audited the financial statements of the U.S. Department of Homeland Security (DHS or\nDepartment) for the year ended September 30, 2013 (referred to herein as the \xe2\x80\x9cfiscal year (FY) 2013\nfinancial statements\xe2\x80\x9d), and have issued our report thereon dated December 11, 2013. In planning and\nperforming our audit of the financial statements of DHS, in accordance with auditing standards\ngenerally accepted in the United States of America and Government Auditing Standards, we considered\ninternal control over financial reporting (internal control) as a basis for designing our auditing\nprocedures for the purpose of expressing our opinion on the financial statements. In conjunction with\nour audit of the financial statements, we also performed an audit of internal control over financial\nreporting in accordance with attestation standards issued by the American Institute of Certified Public\nAccountants.\n\nIn accordance with Government Auditing Standards, our Independent Auditors\xe2\x80\x99 Report, dated\nDecember 11, 2013, included internal control deficiencies identified during our audit that, in aggregate,\nrepresented a material weakness in information technology (IT) controls and financial system\nfunctionality at the DHS Department-wide level. This letter represents the separate limited distribution\nreport mentioned in that report, of matters related to the Office of Financial Management (OFM) and\nthe Office of the Chief Information Officer (OCIO).\n\nDuring our audit we noted certain matters involving internal control and other operational matters that\nare presented for your consideration. These comments and recommendations, all of which have been\ndiscussed with the appropriate members of management and communicated through Notices of\nFindings and Recommendations (NFRs), are intended to improve internal control or result in other\noperating efficiencies and are summarized as described below.\n\nWith respect to OFM\xe2\x80\x99s and OCIO\xe2\x80\x99s financial systems\xe2\x80\x99 IT controls, we noted certain matters in the\nareas of security management, access controls, and contingency planning. These matters are described\nin the General IT Control Findings and Recommendations section of this letter.\n\nDuring our audit we noted certain matters involving financial reporting internal controls (comments not\nrelated to IT) and other operational matters, including certain deficiencies in internal control that we\nconsider to be significant deficiencies and material weaknesses, and communicated them in writing to\nmanagement and those charged with governance in our Independent Auditors\xe2\x80\x99 Report and in a separate\nletter to the Office of Inspector General and the DHS Chief Financial Officer.\n\n\n\n\n                                KPMG LLP is a Delaware limited liability partnership,\n                                the U.S. member firm of KPMG International Cooperative\n                                (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cOur audit procedures are designed primarily to enable us to form an opinion on the financial statements\nand on the effectiveness of internal control over financial reporting, and therefore may not bring to\nlight all deficiencies in policies or procedures that may exist. We aim, however, to use our knowledge\nof DHS\xe2\x80\x99 organization gained during our work to make comments and suggestions that we hope will be\nuseful to you.\n\nWe would be pleased to discuss these comments and recommendations with you at any time.\n\nThe purpose of this letter is solely to describe comments and recommendations intended to improve\ninternal control or result in other operating efficiencies. Accordingly, this letter is not suitable for any\nother purpose.\n\nVery truly yours,\n\x0c                                  Department of Homeland Security\n                            Information Technology Management Letter \n\n              Office of Financial Management / Office of the Chief Information Officer\n\n                                        September 30, 2013\n\n\n                                    TABLE OF CONTENTS\n\n                                                                                          Page\nObjective, Scope, and Approach                                                             2\n\nGeneral IT Control Findings and Recommendations                                            4\n\n   Summary                                                                                 4\n\n   Findings                                                                                4\n\n   Recommendations                                                                         5\n\nIT Application Controls                                                                    5\n\nFY 2013 IT Notices of Findings and Recommendations at OFM and OCIO                         6\n\n\n\n\n\n                                                 1\n\n\x0c                                    Department of Homeland Security\n                              Information Technology Management Letter \n\n                Office of Financial Management / Office of the Chief Information Officer\n\n                                          September 30, 2013\n\n\n                              OBJECTIVE, SCOPE, AND APPROACH\n\n\nObjective\n\nWe have audited the financial statements of the U.S. Department of Homeland Security (DHS or\nDepartment) for the year ended September 30, 2013 (referred to herein as the \xe2\x80\x9cfiscal year (FY) 2013\nfinancial statements\xe2\x80\x9d). In connection with our audit of the FY 2013 financial statements, we performed an\nevaluation of selected general information technology (IT) controls (GITCs) and IT application controls\nat the DHS Office of the Chief Financial Officer (OCFO) Office of Financial Management (OFM) and the\nDHS Office of the Chief Information Officer (OCIO) to assist in planning and performing our audit\nengagement.\n\nScope\n\nDHS Treasury Information Executive Repository (DHSTIER) is the system of record for the DHS\nconsolidated financial statements and is used to track, process, and perform validation and edit checks\nagainst monthly financial data uploaded from each of the DHS components\xe2\x80\x99 core financial management\nsystems. DHSTIER is administered jointly by the OCFO Resource Management Transformation Office\nand the OCFO OFM and is hosted on the DHS OneNet at the Stennis Data Center in Mississippi.\n\nApproach\n\nGeneral Information Technology Controls\n\nThe Federal Information System Controls Audit Manual (FISCAM), issued by the U.S. Government\nAccountability Office, formed the basis of our GITC evaluation procedures.\n\nFISCAM was designed to inform financial statement auditors about IT controls and related audit concerns\nto assist them in planning their audit work and to integrate the work of auditors with other aspects of the\nfinancial statement audit. FISCAM also provides guidance to auditors when considering the scope and\nextent of review that generally should be performed when evaluating GITCs and the IT environment of a\nFederal agency. FISCAM defines the following five control categories to be essential to the effective\noperation of GITCs and the IT environment:\n\n\xef\x82\xb7\t Security Management \xe2\x80\x93 Controls that provide a framework and continuing cycle of activity for\n   managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy\n   of computer-related security controls.\n\n   \xef\x82\xb7\t In conjunction with our test work of security management GITCs, limited after-hours physical\n      security testing at select OFM and OCIO facilities was conducted to identify potential control\n      deficiencies in non-technical aspects of IT security.\n\n\xef\x82\xb7\t Access Control \xe2\x80\x93 Controls that limit or detect access to computer resources (data, programs,\n   equipment, and facilities) and protect against unauthorized modification, loss, and disclosure.\n\n\n\n                                                    2\n\n\x0c                                    Department of Homeland Security\n                              Information Technology Management Letter \n\n                Office of Financial Management / Office of the Chief Information Officer\n\n                                          September 30, 2013\n\n\n\xef\x82\xb7\t Configuration Management \xe2\x80\x93 Controls that help to prevent unauthorized changes to information\n   system resources (software programs and hardware configurations) and provide reasonable assurance\n   that systems are configured and operating securely and as intended.\n\n\xef\x82\xb7\t Segregation of Duties \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational structure\n   to manage who can control key aspects of computer-related operations.\n\n\xef\x82\xb7\t Contingency Planning \xe2\x80\x93 Controls that involve procedures for continuing critical operations without\n   interruption, or with prompt resumption, when unexpected events occur.\n\nIT Application Controls\n\nWe performed testing over selected key IT application controls on financial systems and applications to\nassess the financial systems\xe2\x80\x99 internal controls over the input, processing, and output of financial data and\ntransactions. FISCAM defines application controls as the structure, policies, and procedures that apply to\nseparate, individual application systems, such as accounts payable, inventory, or payroll.\n\n\n\n\n                                                     3\n\n\x0c                                    Department of Homeland Security\n                              Information Technology Management Letter \n\n                Office of Financial Management / Office of the Chief Information Officer\n\n                                          September 30, 2013\n\n\n               GENERAL IT CONTROL FINDINGS AND RECOMMENDATIONS\n\n\nSummary\n\nDuring FY 2012, OFM and OCIO took corrective action to address certain prior year IT control\ndeficiencies. For example, OFM and OCIO made improvements over strengthening controls around\nsystem security authorization and configuration management. However, during FY 2013, we continued to\nidentify GITC deficiencies that could potentially impact DHS\xe2\x80\x99 financial data related to controls over\nsecurity management, access control, and contingency planning for DHS\xe2\x80\x99 core financial system.\n\nCollectively, the IT control deficiencies limited DHS\xe2\x80\x99 ability to ensure that critical financial and\noperational data were maintained in such a manner to ensure confidentiality, integrity, and availability. In\naddition, these deficiencies negatively impacted the internal controls over DHS\xe2\x80\x99 financial reporting and\nits operations.\n\nOf the four IT Notices of Findings and Recommendations (NFRs) issued during our FY 2013 testing, two\nwere repeat findings from the prior year, and two were new findings. The four IT NFRs issued represent\ndeficiencies in three of the five FISCAM GITC categories.\n\nThese deficiencies may increase the risk that the confidentiality, integrity, and availability of system\ncontrols and DHS\xe2\x80\x99 financial data could be exploited, thereby compromising the integrity of DHS financial\ndata used by management and reported in DHS\xe2\x80\x99 financial statements.\n\nWhile the recommendations made by us should be considered by DHS, it is the ultimate responsibility of\nDHS management to determine the most appropriate method(s) for addressing the deficiencies identified.\n\nFindings\n\nDuring our audit of the FY 2013 DHS financial statements, we identified the following OFM and OCIO\nGITC control deficiencies.\n\nSecurity Management\n\nAfter-Hours Physical Security Testing\n\nOn June 19, 2013, we performed after-hours physical security testing to identify risks related to non-\ntechnical aspects of IT security. These non-technical IT security aspects included physical access to\nprinted or electronic media, equipment, or credentials residing within a DHS employee\xe2\x80\x99s or contractor\xe2\x80\x99s\nwork area or shared workspaces which could be used by others to gain unauthorized access to systems\nhousing financial or other sensitive information. The testing was performed at a DHS facility in\nWashington, DC, that processes, maintains, and/or has access to financial data.\n\nWe observed 40 instances where passwords, sensitive IT information (such as server names or IP\naddresses), unsecured or unlocked credit cards and laptops, and printed materials marked \xe2\x80\x9cFor Official\nUse Only\xe2\x80\x9d or containing sensitive personally identifiable information were accessible by individuals\nwithout a \xe2\x80\x9cneed to know\xe2\x80\x9d.\n\n                                                     4\n\n\x0c                                      Department of Homeland Security\n                                Information Technology Management Letter \n\n                  Office of Financial Management / Office of the Chief Information Officer\n\n                                            September 30, 2013\n\n\nAccess Controls\n\n\xef\x82\xb7   Physical access to the interior rooms within DHS Enterprise Data Centers DC-1 and DC-2 hosting\n    key DHS financial systems was not consistently recertified.\n\nContingency Planning\n\n\xef\x82\xb7\t DHSTIER backup logs were not consistently maintained or rotated to an offsite storage facility.\n\nRecommendations\n\nWe recommend that the DHS OCIO and DHS OCFO, make the following improvements to DHS\xe2\x80\x98\nfinancial management systems and associated IT security program.\n\nSecurity Management\n\n\xef\x82\xb7\t Continue to conduct DHS security awareness training and increase monitoring activities to enforce\n   compliance with the criteria established by the DHS rules of behavior related to safeguards against\n   unauthorized physical access of sensitive DHS information.\n\nAccess Controls\n\n\xef\x82\xb7\t Fully define and document responsibility for, and consistently implement controls related to the\n   periodic review of physical access to the interior rooms within DC-1 and DC-2 hosting key DHS\n   financial systems.\n\nContingency Planning\n\n\xef\x82\xb7\t Continue to sustain the corrective action implemented during FY 2013 to enforce existing policies and\n   procedures related to DHSTIER backups to ensure that logs are consistently maintained and rotated to\n   an offsite storage facility.\n\n                                    IT APPLICATION CONTROLS\n\nWe conducted testing over certain DHSTIER application controls supporting in-scope processes during\nthe OFM and OCIO component of the FY 2013 DHS financial statement audit and did not identify any\ncontrol deficiencies.\n\n\n\n\n                                                     5\n\n\x0c                                    Department of Homeland Security\n                              Information Technology Management Letter \n\n                Office of Financial Management / Office of the Chief Information Officer\n\n                                          September 30, 2013\n\n\n   FY 2013 IT NOTICES OF FINDINGS AND RECOMMENDATIONS AT OFM AND OCIO \n\n\nFY 2013 NFR #                       NFR Title                          FISCAM Control        New     Repeat\n                                                                            Area             Issue    Issue\nCONS-IT-13-01    Security Awareness Issues Identified during After-   Security Management              X\n                 Hours Physical Security Testing at DHS\nOCIO-IT-13-01    Inadequate Recertification of DC-2 Physical            Access Controls                X\n                 Access\nOCIO-IT-13-02    Backup Log Rotation Not Consistently Performed       Contingency Planning    X\nOCIO-IT-13-03    Inadequate Recertification of DC-1 Physical            Access Controls       X\n                 Access\n\n\n\n\n                                                      6\n\n\x0c                           OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n   \x03\n   Appendix\x03A\x03\x03\n   Report\x03Distribution\x03\n                          \x03\n   Department\x03of\x03Homeland\x03Security\x03\x03\x03\x03\x03\x03\n   \x03\n   Secretary\x03\n   Deputy\x03Secretary\x03\n   Chief\x03of\x03Staff\x03\n   Deputy\x03Chief\x03of\x03Staff\x03\n   General\x03Counsel\x03\n   Executive\x03Secretary\x03\x03\n   Director,\x03GAO/OIG\x03Liaison\x03Office\x03\n   Assistant\x03Secretary\x03for\x03Office\x03of\x03Policy\x03\n   Assistant\x03Secretary\x03for\x03Office\x03of\x03Public\x03Affairs\x03\n   Assistant\x03Secretary\x03for\x03Office\x03of\x03Legislative\x03Affairs\x03\n   Under\x03Secretary\x03for\x03Management\x03\n   Chief\x03Financial\x03Officer\x03\n   Chief\x03Information\x03Officer\x03\n   Chief\x03Information\x03Security\x03Officer\x03\n   Chief\x03Privacy\x03Officer\x03\n   \x03\n   Office\x03of\x03Management\x03and\x03Budget\x03\x03\x03\x03\n   \x03\n   Chief,\x03Homeland\x03Security\x03Branch\x03\x03\x03\n   DHS\x03OIG\x03Budget\x03Examiner\x03\n   \x03\n   Congress\x03\x03\x03\x03\n   \x03\n   Congressional\x03Oversight\x03and\x03Appropriations\x03Committees,\x03as\x03appropriate\x03\n\n\n\n\nwww.oig.dhs.gov                                                             OIG-14-108\n\x0cADDITIONAL INFORMATION\n\nTo view this and any of our other reports, please visit our website at: www.oig.dhs.gov.\n\nFor further information or questions, please contact Office of Inspector General (OIG)\nOffice of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov, or follow us on\nTwitter at: @dhsoig.\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto:\n\n       Department of Homeland Security \n\n       Office of Inspector General, Mail Stop 0305 \n\n       Attention: Office of Investigations Hotline \n\n       245 Murray Drive, SW \n\n       Washington, DC 20528-0305 \n\n\nYou may also call 1(800) 323-8603 or fax the complaint directly to us at\n(202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'